CVE-2016-5325

MEDIUM

Description

CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument.

References

http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html

http://rhn.redhat.com/errata/RHSA-2017-0002.html

http://www.securityfocus.com/bid/93483

https://access.redhat.com/errata/RHSA-2016:2101

https://github.com/nodejs/node/commit/c0f13e56a20f9bde5a67d873a7f9564487160762

https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/

https://security.gentoo.org/glsa/201612-43

Details

Source: MITRE

Published: 2016-10-10

Updated: 2018-01-05

Type: CWE-113

Risk Information

CVSS v2.0

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3.0

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Impact Score: 2.7

Exploitability Score: 2.8

Severity: MEDIUM